Hi Steve,
I take it that dynamically linking the FIPS OpenSSL into an executable means that the FIPS certification is void for that application. So as you have stated, static linking is required. However, if I'm producing a security library that uses OpenSSL and I statically link the FIPS OpenSSL into that security library but applications dynamically link against my security library what does this mean as far as the FIPS certification is concerned?
IMO, if you can implement a check that the DSO matches the one you linked against (and that that matches the one compiled from the FIPS certified source), then you are FIPS compliant - however, we do not provide that facility out-of-the-box. We should, perhaps, modify the security policy to this effect.
Cheers,
Ben.
-- http://www.apache-ssl.org/ben.html http://www.thebunker.net/
"There is no limit to what a man can do or how far he can go if he doesn't mind who gets the credit." - Robert Woodruff ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
